Pages

Sunday, March 05, 2017

The Sky Isn't Falling. Yet.

I
really love the Internet. I get a kick out of technology in general, of course,
but I'm crazy about the Internet in particular. When you think about what it's
given us—communication, information, empowerment, and more—it's difficult to
come up with too many other technologies that have had this great an impact. To
a great extent, the Internet has truly democratized information.

And
yet . . . When I stop and think about
it, I kind of freak out. I mean, I don't want to sound alarmist or anything,
and I generally like to stay calm about the issues, but I THINK WE'RE ALL TOTALLY SCREWED!!

OK,
there. I feel better now. I'm calm. But here's what I mean…

This is Hollywood Presbyterian Medical Center in East
Hollywood, CA. The hospital paid $17,000 to recover
its ransomed data files.

Let’s
start with ransomware: This is malware that, when accidentally downloaded
(generally by people who have ignored the basic security rules that tech people
keep trying to get them to follow), encrypts your files, which it then holds
for ransom. (The ransom varies, but $300 to $500 or so is a typical ballpark:
enough to make it worthwhile for the bad guys, and just barely cheap enough for
most of us to at least consider paying the ransom.) In most cases, the
encryption is done very well and very quickly; you are not getting those files
back unless you pay the ransom. (Or unless you have a good backup and know how
to restore your files from that backup.)

Businesses
and individuals have been getting hit with ransomware regularly, but more
recently, the bad guys have discovered other tempting targets: municipal
entities, law enforcement agencies, and hospitals, for instance. Think about
it: A small police department or hospital has data that is very
important, sometimes literally a matter of life and death, including such
things as patient records, info from medical devices (sometimes from various
implants), evidence stored for court cases, and more. This is critical stuff.
The data should have been backed up and the organization should have a relatively bulletproof
backup-and-restore process in place, but many such entities do not. That's why
the combination is almost irresistible to bad guys: These organizations have critical
data they cannot afford to lose, and crappy (or sometimes non-existent) IT
departments. The result? These are big, juicy targets; crooks can easily mount
an attack, and the payoff can be big.

How
big? Last year, bad guys encrypted data from the Hollywood Presbyterian Medical
Center, and demanded $3.4 million (in untraceable Bitcoin, a digital cryptocurrency)
to give it back. Hospital executives declared a state of emergency and
employees reverted to paper and faxes. (Ironically, it's sometimes possible to
negotiate with the thieves; in this case, the hospital eventually paid about
$17,000 to get its files back. Still, $17,000 is a pretty good chunk of change)

Of
course, there are other attacks, and other types of attacks.

Last
December 23rd, unknown intruders (possibly state-sponsored actors under Russian
control, though this remains unproven) hacked into the computers of the
Ukraine's (please do not ask me to pronounce this) Prykarpattyaoblenergo
electrical control center. Operators watched, dumbfounded and helpless, as the
intruder simply navigated through onscreen menus, shutting down some 30
electrical substations, one mouse-click at a time. The hacker then disabled
backup power supplies in two of the region’s three electrical distribution
centers, leaving all concerned literally and figuratively in the dark.

About
230,000 people were suddenly without electricity in an area where the
temperature that evening dropped to around 14 degrees Fahrenheit. (Lest you
think that the U.S. power grid is more secure and sophisticated than a control
center in Ukraine, note that many experts said that the Ukrainian station was better
secured than many U.S. stations.)

This
is the first known hack of a power grid that resulted in a power outage of that
size, but it's probably not the last. (For a sensational—some reviewers said sensationalist—read on the subject, see Ted Koppel's Lights Out.) The reality is that, as
unsecure as our private infrastructures (see the hospitals and corporations
mentioned above) are, many government and quasi-government infrastructures are
even more disorganized and less secure. (If this surprises you, then you
haven't been paying attention to news of the DNC—and now RNC and other—hacks.
Also, you've never been in the Army.)

Here's
the problem in a nutshell: We took an inherently unsecure technology, the
Internet (which was created to share, not hide, information), and made
it into the backbone of both our infrastructure and our economy. We've taken
steps to make it more robust and mitigate its weaknesses, but the reality is
that just about everything—from our power grid to our banking industry
and from hospitals to law enforcement—now runs on what turns out to be a
vulnerable and easily crippled technology.

And
it's going to get worse as the Internet of Things takes hold. The IoT involves
connecting literally billions of things to the Internet, everything from
your toothbrush to your thermostat and from your doorbell to your dog’s water
bowl. Those connections will, for the most part, make your life much easier. Until
suddenly they don't.

Take
baby monitors, for instance. It's comforting to know that your child is safe
and snug in his bed; being able to hear the cooing sounds your toddler makes as
he sleeps is soothing. Hearing the voice of some stranger speaking to your
child through the monitor is definitely not soothing, but it has
happened on occasion. Why? Well, the baby monitor is on your wireless network,
and is probably not very well protected. Neither you nor the manufacturer took
steps to secure that device.

This is just one of several brands of baby monitor
that has been hacked.

But
the technology itself is not the only major problem. The other weakness is . .
. well, us. Any security pro will tell you that the biggest vulnerability
is human, the people standing between the palace
door and the storeroom in which the crown jewels are held. Basically, people
are not very good at security, because we're lazy, naïve, and entirely too nice.
We really, really want to be helpful, so when we get an email asking for
information, we're all too ready to part with that information. When someone
claiming to be a hardware tech or copier repair person shows up at a place of
business with a clipboard, a baseball cap with a company logo, and a good story, people are almost always willing
to "help" him by parting with names, phone numbers, even passwords.

Almost
without exception, we are the weak link in the security chain. We click
links in phishing emails, visit sketchy websites, download suspicious files,
and answer the (seemingly innocent) questions of people who wander into our
places of business. We place all our very personal information on the Internet
for anyone to see: between Facebook, LinkedIn, and Twitter, anyone looking for
information about you or your business has all he needs.

Chris Hadnagy is a
security expert and a penetration tester; companies pay him to break into their
networks in order to uncover flaws. Chris says that he can "social
engineer" (read: schmooze, lie, or finagle) his way onto any corporate
network well over 90% of the time. Years ago, says Chris, the difficult part of
his job was uncovering enough information to be able to mount a convincing
deception. Now, he says, with all the information floating around on the
Internet, his biggest problem is sifting through the tons of data
available to decide which pieces are most useful.

Still,
a hacked baby monitor or an individual who’s fallen victim to ransomware is not
what worries me. We can learn to protect ourselves; if we don't, then we have
only ourselves to blame.

But
state-sponsored attacks on infrastructure are another story. Weapons are rarely
made without someone wanting to find an excuse to use them, and the
Internet is, among other things, a weapon. It's simply too terrifyingly easy to
conduct an attack that could turn into a full-blown cyber war. A digital
attacker risks nothing, really. It's a form of warfare that, unlike all
other forms, is cheap, fast, simple, and deniable. That’s a temptation too
alluring to ignore. You can engage an enemy anonymously from half a world away,
and there's absolutely no risk that you or any of your fellow
"soldiers" will get hurt. You can cripple a region—or possibly an
entire country—with just a few well-placed strikes. Whether the attacker is a
state actor (or someone who operates at the behest of such actors) or an
independent guerilla operator, the technology is too available, the risk is too
small, and the payoff too big to ignore.

And
that is what worries me. I do believe that we will eventually address many
or even most of these security issues, but I suspect that our actions will be
reactive in nature: nothing will be done until something very bad happens, and
then suddenly security will be on everyone's mind, from our legislators to our
law enforcement people, and from infrastructure developers to IoT
manufacturers.

We
should probably be thinking about such matters before the sky starts
falling.

14 comments:

Cyber Security experts estimate that intrusions into enterprise web sites go unrecognized for an average of 270 days. The intruder has the run of the space, damaging or pirating whatever data they choose. It is ominously formidable. We need to establish courses to train the average tech user in cyber self-defense.

Not a bad idea, I think... Although it takes us down a path leading to what is essentially licensing. That is, if you've NOT taken the course, you don't get access (or full access) to Internet functionality. Might in fact not be a bad idea (Rob Enderle seems to recommend this approach), but it'll be a rocky road to go down...

This is an excellent article, Mr. Scher. I feel much smarter—if a bit more anxious—for having read it. By the way, I'm told residents of Prykarpattyaoblenergo don't know how to pronounce their city's name, either.

It IS a bit unsettling when you think about it -- which I suppose is one reason people don't think about it! I couldn't live in Prykarpattyaoblenergo; I'd never be able to tell people where I live or how to get there. Then again, I couldn't live in Boring, OR either.

OK. Now you've ruined my day, a perfectly beautiful day, and I might add, my birthday. Was feeling only the usual daily social/political stress this morning, but hoping to avoid a full blown melt down, but JEEEZ! Along comes the Geekly. Question: How many problems can one brain deal with? Especially a brain that is 75 years old?

On the whole, we ARE too nice. Not me, man, I always look at everyone as if they are all axe murderers.(Oh dear, had to ask my English husband how to spell "axe", he said it is AXE in English but is most certainly spelled AX in American English. See the fascinating conversations we have?)

Oh, well, yeah. Not YOU, no. But the REST of us are too nice! :) Yes, MW lists "ax" as preferred, with "axe" as a variant! And yet, "ax" seems wrong to me. Of course, we could resolve the whole issue by going back to the Old English "æcs."

.....which begs the question, how did we survive before the internet? While the internet has given us answers and solutions, it also takes away our ability to study and think for ourselves. do we control the internet or does it control us?